WHAT IS CLAIMED IS: 
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CLAIMS 

1 . A method for protecting a computer environment, comprising: 

providing an index; 
comparing a first event with the index; 
5 determining whether the first event is unusual; and 

determining whether a security incident associated with the first event has 
occurred. 

2. A method for protecting a computer environment as recited in Claim 1, wherein 
the first event indicates that a file has been modified. 

10 3. A method for protecting a computer environment as recited in Claim 1, wherein 
determining whether the first event is unusual includes looking up an identifier of a file in 
the index; and wherein the file is associated with the first event. 

4. A method for protecting a computer environment as recited in Claim 3, wherein 
the identifier includes a signature. 
15 5. A method for protecting a computer environment as recited in Claim 3, wherein 
the identifier includes a signature generated by a hash function. 

6. A method for protecting a computer environment as recited in Claim 3, wherein 
the identifier includes a signature generated by a checksum function. 

7. A method for protecting a computer environment as recited in Claim 1, wherein 
20 the first event indicates that a file has been modified, and determining whether the file 

modification is unusual includes comparing a number of occurrences of the file in the 
index with a threshold. 
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8. A method for protecting a computer environment as recited in Claim 1, wherein 
the first event indicates that a file has been modified, and determining whether the 
security incident associated with the first event has occurred includes comparing a 
number of occurrences of the file in the index with a threshold. 
5 9. A method for protecting a computer environment as recited in Claim 1 , wherein 
determining whether the security incident associated with the first event has occurred 
includes looking up an identifier of a file in the index, and wherein the file is associated 
with the first event. 

10. A method for protecting a computer environment as recited in Claim 1 , wherein 
10 determining whether the security incident associated with the first event has occurred 

includes correlating a second event with the first event. 

11. A method for protecting a computer environment as recited in Claim 1, wherein 
determining whether the security incident associated with the first event has occurred 
includes correlating a second event with the first event; and the second event is a 

1 5 monitored event. 

12. A method for protecting a computer environment as recited in Claim 1, wherein 
determining whether a security incident associated with the first event has occurred 
includes applying a rule. 

13. A method for protecting a computer environment as recited in Claim 1, further 
20 comprising determining a priority of the security incident if it is determined that a 

security incident associated with the first event has occurred. 

14. A method for protecting a computer environment as recited in Claim 1 , further 
comprising determining a degree of unusualness for the first event. 
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15. A method for protecting a computer environment as recited in Claim 1, further 
comprising determining a degree of unusualness for the first event and determining a 
priority of the security incident based on the degree of unusualness. 

16. A method for protecting a computer environment as recited in Claim 1, wherein 
5 the index includes an archive index. 

17. A method for protecting a computer environment as recited in Claim 1 , wherein 
the index includes an archive index that includes a file signature. 

18. A method for protecting a computer environment as recited in Claim 1, wherein 
the index includes an archive index that includes file revision information. 

10 19. A method for protecting a computer environment as recited in Claim 1 , wherein 
the index includes an archive index stored in a database. 

20. A method for protecting a computer environment as recited in Claim 1, wherein 
the index includes an archive index stored in an extensible markup language (XML) file. 

21. A method for protecting a computer environment as recited in Claim 1 , wherein 
1 5 the index is cached. 

22. A system for protecting a computer environment, comprising: 

a processor configured to provide an index, compare a first event with the 
index, determine whether the first event is unusual and determine whether a 
security incident associated with the first event has occurred; and 
20 a memory coupled with the processor, wherein the memory is configured 

to provide the processor with instructions. 
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23. A computer program product for protecting a computer environment, the 
computer program product being embodied in a computer readable medium and 
comprising computer instructions for: 

providing an index; 

comparing a first event with the index; 

determining whether the first event is unusual; and 

determining whether a security incident associated with the first event has 
occurred. 
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